用于测试,实际使用的话要精简,慎重!!!
# Rules must be in order: options, normalization, queueing
#/etc/pf.conf :10:rules must be in order: options,normalization ,queueing ,translation, filtering
# sysctl -w net.inet.ip.forwarding=1
# /usr/local/sbin/expiretable -v -d -t 24h SSHbruteforce
# /etc/crontab */5 * * * * /usr/local/sbin/expiretable -t 3600 SSHbruteforce
#------------set interface -------------------
ext_if="xl0" #192.168.1.222, 112, 113, 114
int_if="rl0" #192.168.0.1
#all_ifs= "{" $int_if $ext_if lo0 "}"
#----------------------------
local_int_net=$int_if:network
#------------------------------
#------------set ports -------------------
ssh_port="{ 2222 }"
http_port="8001"
ftp_port="8002"
base_port="8003"
remote_monitor_port="{ 7410 }"
web_ports = "{ 80 }"
server_ports = "{ 8881, 8882, 8883, 7410 }"
#int_server_ports_range="8881:9888"
int_server_ports_range="8881:*"
ext_server_A_ports_range="18881:18889"
#rdr on $ext_if inet proto tcp from any to any port $int_server_ports_range -> $int_server_A_ip port $int_server_ports_range
#test_ports="{12345, 12346,12347}"
#priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
icmp_types="echoreq"
# server_int_ports = "{ 1001, 1002, 1003, 1004, 1005, 1006 }"
#
# server_A_rdr_ports="{ 10001, 10002, 10003, 10004, 10005, 10006 }"
# server_B_rdr_ports="{ 20001, 20002, 20003, 20004, 20005, 20006 }"
# server_C_rdr_ports="{ 30001, 30002, 30003, 30004, 30005, 30006 }"
#-------------------------------
#---------ssh ip-----
#table <ssh_ip_tbl> const file "/etc/ssh_ip_tbl.txt"
#table <ssh_ip_tbl> const "{ 192.168.1.0/24, 192.168.0.0/24 }"
table <safe_ssh_ip> const { 192.168.1.88, 192.168.1.99 , 192.168.1.111}
table <firewall> const { self } # self
#table <firewall> const { $ext_if:network:0}
#table <firewall> const { $ext_if:0 }
#table <int_safe_ssh_ip> const { 192.168.0.111, 192.168.0.112, 192.168.0.113 }
#p14, 1.7.12 uRPF
#1.7.14, pass in quick on fxp0 all allow-opts
#ssh_ip = "{ 192.168.1.0/24 , 192.168.0.0/24 }"
#ssh_ip = "{ 192.168.1.88 }"
#---------ssh ip end-----
#-----------set server ip-------------------
int_server_A_ip = "192.168.0.112"
int_server_B_ip = "192.168.0.113"
int_server_C_ip = "192.168.0.114"
#---------------------------
# for test ip
ext_if_A_ip = "192.168.1.112"
ext_if_B_ip = "192.168.1.113"
ext_if_C_ip = "192.168.1.114"
#-----------------------
# real ip
#ext_if_A_ip = "x.x.x.16"
#ext_if_A_port="{ 8881, 8882, 8883 }"
#-------------------------
#ext_if_B_ip=" x.x.x.150"
#B_port = "8881"
#ext_if_C_ip=" x.x.x.18"
#ext_if_C_port="7902"
#-----------------------
ext_if_master_ip = "192.168.1.115"
#------------------------------
#---------option---------------------
set block-policy drop
#set block-policy return
#set optimization aggressive
#set optimization aggressive
#skip lo interface
set skip on lo0
#just log ext dev interface
set loginterface $ext_if
#---------option end---------------------
#-------------scrub setting ---------
scrub in all
#------------------------------------
#-----------------------------------------
# altq on $ext_if cbq bandwidth 100% queue { http_in, ftp_in, base_in , ssh_in} #定义总带宽
# queue base_in bandwidth 40% cbq(default) #base占用总带宽的40%,以下依次类推
# queue http_in bandwidth 30%
# queue ftp_in bandwidth 25%
# queue ssh_in bandwidth 5% priority 1 cbq(borrow)
#-----------------------------------------
#nat on $ext_if from <safe_nat_ip_tbl> to any -> ($ext_if)
#rdr on $ext_if inet proto tcp from any to any port $web_ports -> $web_server
#-------------------nat setting --------------
#nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if from $int_server_A_ip to any -> $ext_if_A_ip
nat on $ext_if from $int_server_B_ip to any -> $ext_if_B_ip
nat on $ext_if from $int_server_C_ip to any -> $ext_if_C_ip
#nat on $ext_if inet proto {tcp, udp, icmp } from $local_int_net to any -> ($ext_if)
#nat on $ext_if inet proto {tcp, udp, icmp } from $int_server_A_ip to any -> $ext_if_A_ip
#nat on $int_if inet proto {tcp, udp, icmp } from $int_server_A_ip to any -> $ext_if_A_ip
#nat on $ext_if inet proto {tcp, udp, icmp } from $int_server_A_ip to any port $server_ports -> $ext_if_A_ip
nat-anchor "nat_anchor/*"
#nat-anchor mynat
#-------------------nat end--------------
#-------------------rdr setting --------------
#rdr-anchor myrdr
rdr-anchor "relayd/*"
#rdr on $ext_if inet proto tcp from any to any port $server_ports -> $int_server_A_ip
rdr on $ext_if inet proto tcp from any to $ext_if_A_ip port $server_ports -> $int_server_A_ip
rdr on $ext_if inet proto tcp from any to $ext_if_B_ip port $server_ports -> $int_server_B_ip
rdr on $ext_if inet proto tcp from any to $ext_if_C_ip port $server_ports -> $int_server_C_ip
#----------map port range---------
rdr on $ext_if inet proto tcp from any to any port $ext_server_A_ports_range -> $int_server_A_ip port $int_server_ports_range
#rdr on $ext_if inet proto tcp from any to any port $ext_server_A_ports_range -> $int_server_A_ip port 8881:* #auto extern to
#rdr on $ext_if inet proto tcp from any to any port $ext_server_A_ports_range -> $int_server_A_ip port 8881 #all map to one port
#----------map port range end---------
#rdr on $ext_if inet proto tcp from any to $ext_if_master_ip port $server_A_rdr_ports -> $int_server_A_ip port $server_int_ports
#------------------------------------one ip to mulport ---------------
# rdr on $ext_if inet proto tcp from any to $ext_if_master_ip port 10001 -> $int_server_A_ip port 8001
# rdr on $ext_if inet proto tcp from any to $ext_if_master_ip port 10002 -> $int_server_A_ip port 8002
#
# rdr on $ext_if inet proto tcp from any to $ext_if_master_ip port 20001 -> $int_server_B_ip port 8001
# rdr on $ext_if inet proto tcp from any to $ext_if_master_ip port 20002 -> $int_server_B_ip port 8002
#------------------------------------one ip to mulport end ---------------
#rdr on $ext_if inet proto tcp from $ext_if_A_ip to any -> $int_server_A_ip
#rdr on $ext_if inet proto tcp from $ext_if_A_ip to any port $server_ports -> $int_server_A_ip
#rdr on $ext_if inet proto tcp from $ext_if_B_ip to any port $server_ports -> $int_server_B_ip
#rdr on $ext_if inet proto tcp from $ext_if_C_ip to any port $server_ports -> $int_server_C_ip
#-------------------rdr end--------------
#-------------------binat setting -----------
#binat-anchor "binat/*"
#binat on $ext_if inet proto tcp from $int_server_A_ip to any -> $ext_if_A_ip
#binat on $ext_if inet proto tcp from $int_server_A_ip to any -> $ext_if_A_ip
#binat on $ext_if inet proto tcp from $int_server_A_ip to any -> $ext_if_A_ip
#binat on $ext_if inet proto tcp from $int_server_A_ip to any port $server_ports -> $ext_if_A_ip
#binat on $ext_if inet proto tcp from $int_server_B_ip to any port $server_ports -> $ext_if_B_ip
#binat on $ext_if inet proto tcp from $int_server_C_ip to any port $server_ports -> $ext_if_C_ip
#-------------------binat end -----------
#-------------------filter setting ------------------
block in on $ext_if all
pass quick on lo0 all
pass out on $ext_if all keep state
pass out on $int_if all keep state
#---------ip spoof -----
antispoof quick for $ext_if inet
#pass in quick on $ext_if proto tcp from any to $ext_if_A_ip port $server_ports flags S/SA synproxy state
#pass in quick on $ext_if proto tcp from $ssh_ip to any port $ssh_port keep state
#pass in quick on $ext_if proto tcp from <ssh_ip_tbl> to any port $ssh_port keep state
#pass in quick on $ext_if proto tcp from { <ssh_ip_tbl>, <safe_ssh_ip> } to any port $ssh_port keep state
#
#-----------------------drop nmap -------------------
block log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block quick on $ext_if inet proto tcp from any to any flags /SFRA
# #block quick on $ext_if on "NMAP"
#-----------------------drop nmap end-------------------
#--------------drop ping ext_if =====================
# ²»Ôл¥jÍ»úng·þÎÆͲ¿Í¿¨
block in on $ext_if inet proto icmp all icmp-type 8 code 0
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in quick on $ext_if inet proto icmp all icmp-type 8 code 0
#--------------drop ping ext_if =====================
#----------------------------------------------------------
#拒絕內部私有 IP 對 $ext_if 網路卡連線
#block drop in quick on $ext_if from $priv_nets to any
#block drop out quick on $ext_if from any to $priv_nets
#----------------------------------------------------------
#pass in on $inf_if proto rcp from any to any queue std_in
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
#---set anchor ---
anchor goodguys
#anchor myanchor
#load anchor goodguys:ssh from "/etc/anchor-goodguys-ssh
#echo "pass in proto tcp from 192.168.1.88 to any port 22" \
# | pfctl -a goodguys:ssh -f -
#---set test point ---
#block in log quick on $ext_if inet proto { tcp, udp } from any to any port $test_ports
#lable "just test"
#just test
#-----------------------------------------
# pass in quick on $ext_if proto tcp from any to any port $ssh_port keep state queue ssh_in
# pass in quick on $ext_if proto tcp from any to any port $http_port keep state queue http_in
# pass in quick on $ext_if proto tcp from any to any port $ftp_port keep state queue ftp_in
# pass in quick on $ext_if proto { tcp, udp } from any to any port $base_port keep state queue base_in
# #pass in quick on $ext_if proto tcp from any to any keep state queue base_in #配合pf使用预先定义的altq规则
#-----------------------------------------
pass in quick on $int_if inet proto {tcp, udp, icmp } from $int_if:network to ($ext_if) keep state
#pass in quick on $int_if inet proto {tcp, udp, icmp } from $local_int_net to $ext_if:network keep state #lable "int to ext"
#--------------icmp set ----------
#---enable icmp ping
pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types keep state
pass out quick on $ext_if inet proto icmp all icmp-type $icmp_types keep state
#pass in inet proto icmp all icmp-type $icmp_types
#---disable icmp ping
#block in inet proto icmp all icmp-type echoreq keep state
#block drop on $ext_if inet proto icmp all icmp-type echoreq from any to $ext_if keep state
#--------------icmp end ----------
#pass in on $ext_if inet proto tcp from any to $ext_if:0 port $web_ports flags S/SA synproxy state
#------------just for relayd relay to int network --------
pass in on $ext_if inet proto tcp from any to $int_if:network port $web_ports flags S/SA synproxy state
#pass in on $ext_if inet proto tcp from any to $int_if:network port $remote_monitor_port flags S/SA synproxy state
#------------just for relayd relay to int network end --------
#--------------------------ssh set =========================
#block quick on $int_if inet proto tcp from $int_if:network to $ext_if port $ssh_port
table <SSHbruteforce> persist
#table <FTPbruteforce> persist
pass in quick on $ext_if inet proto tcp from <safe_ssh_ip> to <firewall> port $ssh_port synproxy state
block quick from <SSHbruteforce>
pass in log quick on $ext_if inet proto tcp from any to any port $ssh_port keep state (max-src-conn 5, max-src-conn-rate 5/10,overload <SSHbruteforce> flush global)
#pass in log quick on $ext_if inet proto tcp from <safe_ssh_ip> to any port $ssh_port keep state (max-src-conn 5, max-src-conn-rate 3/10,overload <SSHbruteforce> flush global)
#pass quick on $ext_if inet proto tcp from $ssh_ip to any port $ssh_port keep state (max-src-conn 5, max-src-conn-rate 3/10,overload <SSHbruteforce> flush global)
#pass in log quick on $ext_if inet proto tcp from { <safe_ssh_ip> , <int_safe_ssh_ip> } to any port $ssh_port keep state (max-src-conn 5, max-src-conn-rate 3/10,overload <SSHbruteforce> flush global)
#--------------ssh-bruteforce table -----------
# table <ssh-bruteforce> persist
# block quick from <ssh-bruteforce>
# pass in log quick on $ext_if inet proto tcp from any to any port $ssh_port \
# flags S/SA synproxy state ( source-track rule, max-src-states 200, \
# max-src-conn-rate 5/3, max-src-nodes 1025, overload <bruteforce> flush global )
# #max-src-conn-rate 5/1, max-src-nodes 1024, overload <bruteforce> flush global, tcp.established 10, \
# #src.track 3 )
#--------------------------ssh set =========================
#--------------bruteforce table -----------
table <bruteforce> persist
#--- # block for test bruteforce
#block quick from <bruteforce>
#port $server_ports
#pass in log quick on $ext_if inet proto tcp from any to any port $server_ports
pass in log quick on $ext_if inet proto tcp from any to $int_if:network port $server_ports \
flags S/SA synproxy state (max 4000, source-track rule, max-src-states 20, \
max-src-conn 200 max-src-conn-rate 15/3, max-src-nodes 100, overload <bruteforce> flush global )
#queue base_in
#max-src-conn-rate 5/1, max-src-nodes 1024, overload <bruteforce> flush global, tcp.established 10, \
#src.track 3 )
#max-src-conn 10 max-src-conn-rate 25/3
#pass in on $ext_if inet proto tcp from any to any flags S/SA keep state
#pfctl -t bruteforce -Tadd 204.110.22.111
#pfctl -t bruteforce -T show
#pfctl -t bruteforce -T del 204.110.22.111
#pfctl -t bruteforce -T flush
#--------------bruteforce table end-----------
#-------------------filter end ------------------
#-----tcpdump ----------------
#DEV="rl0"
#V="-vvv"
#LOG="-w /tmp/tcpdump.log"
#LOG=""
#TCP_FLAG="tcp[8:4]&0xFFFFFFFF=1 and tcp[13] & 0xff = 16"
#TCP_FLAG="tcp[13] & 0xFF = 16"
#TCP_FLAG="tcp[13] & 0x03 != 0"
#TCP_FLAG="tcp[13] & 0x08 != 0"
#TCP_FLAG="tcp[13] & 0x08 != 0 and tcp[32:2] = 0x4040" #@@
#TCP_FLAG="tcp[13] & 0x08 != 0 and tcp[32:2] != 0x4040" #Not @@ start
#TCP_FLAG="tcp[13] & 0x08 != 0 and tcp[20:2] != 0x4040" #Not @@ start
#tcpdump $LOG -i $DEV -nn -X $TCP_FLAG
#-----tcpdump end----------------
#============================
# /etc/ssh/sshd_config
#LoginGraceTime 120
#如果用户在规定的时间之内没有正确的登录,则断开。如果为0,则不限制;默认120秒
#MaxStartups 10
#设置同时发生的未验证的并发量,即同时可以有几个登录连接,默认为10
#==============================
# /etc/syslog.conf
# auth.* /var/log/auth.log
#-----------------------------
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
# Change to yes to enable built-in password authentication.
#PasswordAuthentication no
#PermitEmptyPasswords no
#=================================
# * Protocol 2 # 表示使用SSH-2,增加安全
# * ServerKeyBits 1024 # 默认的密钥长度是768,改成我们的密钥长度1024
# * PermitRootLogin no # 表示不允许以root的身份登录,root的工作应该由sudo来完成
# * PermitEmptyPasswords no # 禁止空密码的登录
# * PasswordAuthentication no # 关闭密码认证方式,使得我们从远程只能使用密钥认证
# * UseLogin no # 同上,关闭其他认证方式
# * UsePAM no # 同上,关闭其他认证方式
# * PubkeyAuthentication yes # 允许使用秘钥认证
#=================================
# /usr/ports/security/denyhosts
# 使用 pftop 来查看 anchor
#--------------------------------
# -------------------------------------------------------------------------------
# To run denyhosts from startup, add denyhosts_enable="YES"
# in your /etc/rc.conf.
# Configiration options can be found in /usr/local/etc/denyhosts.conf
# -------------------------------------------------------------------------------
# In order to proper working of denyhosts
# 1. edit your /etc/hosts.allow file and add:
# sshd : /etc/hosts.deniedssh : deny
# sshd : ALL : allow
# 2. issue the following command if /etc/hosts.deniedssh does not exist yet
# touch /etc/hosts.deniedssh
# -------------------------------------------------------------------------------
#sudo cat /var/log/auth.log |grep ssh|grep Failed|grep root|cut -d ":" -f 4|cut -d " " -f 7|uniq|sort
#-------------------------------------
# altq on $ext_if cbq bandwidth 100% queue { http_in, ftp_in, base_in , ssh_in} #定义总带宽
# queue base_in bandwidth 40% cbq(default) #base占用总带宽的40%,以下依次类推
# queue http_in bandwidth 30%
# queue ftp_in bandwidth 25%
# queue ssh_in bandwidth 5% priority 1 cbq(borrow)
#
#
# nat on $ext_if from <safe_nat_ip_tbl> to any -> ($ext_if)
# #rdr on $ext_if inet proto tcp from any to any port $web_ports -> $web_server
#
# pass in quick on $ext_if proto tcp from any to any port $ssh_port keep state queue ssh_in
# pass in quick on $ext_if proto tcp from any to any port $http_port keep state queue http_in
# pass in quick on $ext_if proto tcp from any to any port $ftp_port keep state queue ftp_in
# pass in quick on $ext_if proto { tcp, udp } from any to any port $base_port keep state queue base_in
# pass in quick on $ext_if proto tcp from any to any keep state queue base_in #配合pf使用预先定义的altq规则
# #-------------------------------------
#=====================anchor ==================
#http://bbs3.chinaunix.net/thread-1522657-1-1.html
#1. set nat-anchor nat_anchor/*
#2. sudo sh -c 'echo "nat on xl0 from 192.168.0.23 to any -> xl0 "|pfctl -a nat_anchor:tt -f -'
#3. sudo pfctl -sA
#4. sudo pfctl -a "nat_anchor:tt" -sn #(-s n -->show nat tables)
#5. set anchor myanchor
#6. sh -c 'echo "pass in quick on xl0 from any to any "|pfctl -a myanchor:tt -f -'
#7. sudo pfctl -a "myanchor:tt" -sr
#8. set rdr-anchor relayd/*
#9. sudo sh -c 'echo "rdr on xl0 inet proto tcp from any to any port 80 -> 192.168.0.115 port 8080"|pfctl -a relayd:web -f -'
#10. sudo pfctl -a "relayd:web" -sn
#=====================anchor end==================
#netstat -an | awk '/^tcp/{ A[$NF]++} END{ for (a in A) print a, A[a]}'
#netstat -an |awk '/LISTEN/{next};/^tcp/{s=split($5, N,":"); \
#A[N[s-1]]++} END{ for (a in A) print a, A[a]}'
#sockstat -4c |awk '/:2222/{split($6,ip,":");++A[ip[1]]}END{for(i in A) print A[i],i}' |sort -rn
#sockstat | grep :666 | awk '{ print $1 | "sort -n" }' | uniq -d
#------------------------------------------------------------
# Rules must be in order: options, normalization, queueing
#/etc/pf.conf :10:rules must be in order: options,normalization ,queueing ,translation, filtering
# sysctl -w net.inet.ip.forwarding=1
# /usr/local/sbin/expiretable -v -d -t 24h SSHbruteforce
# /etc/crontab */5 * * * * /usr/local/sbin/expiretable -t 3600 SSHbruteforce
#------------set interface -------------------
ext_if="xl0" #192.168.1.222, 112, 113, 114
int_if="rl0" #192.168.0.1
#all_ifs= "{" $int_if $ext_if lo0 "}"
#----------------------------
local_int_net=$int_if:network
#------------------------------
#------------set ports -------------------
ssh_port="{ 2222 }"
http_port="8001"
ftp_port="8002"
base_port="8003"
remote_monitor_port="{ 7410 }"
web_ports = "{ 80 }"
server_ports = "{ 8881, 8882, 8883, 7410 }"
#int_server_ports_range="8881:9888"
int_server_ports_range="8881:*"
ext_server_A_ports_range="18881:18889"
#rdr on $ext_if inet proto tcp from any to any port $int_server_ports_range -> $int_server_A_ip port $int_server_ports_range
#test_ports="{12345, 12346,12347}"
#priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
icmp_types="echoreq"
# server_int_ports = "{ 1001, 1002, 1003, 1004, 1005, 1006 }"
#
# server_A_rdr_ports="{ 10001, 10002, 10003, 10004, 10005, 10006 }"
# server_B_rdr_ports="{ 20001, 20002, 20003, 20004, 20005, 20006 }"
# server_C_rdr_ports="{ 30001, 30002, 30003, 30004, 30005, 30006 }"
#-------------------------------
#---------ssh ip-----
#table <ssh_ip_tbl> const file "/etc/ssh_ip_tbl.txt"
#table <ssh_ip_tbl> const "{ 192.168.1.0/24, 192.168.0.0/24 }"
table <safe_ssh_ip> const { 192.168.1.88, 192.168.1.99 , 192.168.1.111}
table <firewall> const { self } # self
#table <firewall> const { $ext_if:network:0}
#table <firewall> const { $ext_if:0 }
#table <int_safe_ssh_ip> const { 192.168.0.111, 192.168.0.112, 192.168.0.113 }
#p14, 1.7.12 uRPF
#1.7.14, pass in quick on fxp0 all allow-opts
#ssh_ip = "{ 192.168.1.0/24 , 192.168.0.0/24 }"
#ssh_ip = "{ 192.168.1.88 }"
#---------ssh ip end-----
#-----------set server ip-------------------
int_server_A_ip = "192.168.0.112"
int_server_B_ip = "192.168.0.113"
int_server_C_ip = "192.168.0.114"
#---------------------------
# for test ip
ext_if_A_ip = "192.168.1.112"
ext_if_B_ip = "192.168.1.113"
ext_if_C_ip = "192.168.1.114"
#-----------------------
# real ip
#ext_if_A_ip = "x.x.x.16"
#ext_if_A_port="{ 8881, 8882, 8883 }"
#-------------------------
#ext_if_B_ip=" x.x.x.150"
#B_port = "8881"
#ext_if_C_ip=" x.x.x.18"
#ext_if_C_port="7902"
#-----------------------
ext_if_master_ip = "192.168.1.115"
#------------------------------
#---------option---------------------
set block-policy drop
#set block-policy return
#set optimization aggressive
#set optimization aggressive
#skip lo interface
set skip on lo0
#just log ext dev interface
set loginterface $ext_if
#---------option end---------------------
#-------------scrub setting ---------
scrub in all
#------------------------------------
#-----------------------------------------
# altq on $ext_if cbq bandwidth 100% queue { http_in, ftp_in, base_in , ssh_in} #定义总带宽
# queue base_in bandwidth 40% cbq(default) #base占用总带宽的40%,以下依次类推
# queue http_in bandwidth 30%
# queue ftp_in bandwidth 25%
# queue ssh_in bandwidth 5% priority 1 cbq(borrow)
#-----------------------------------------
#nat on $ext_if from <safe_nat_ip_tbl> to any -> ($ext_if)
#rdr on $ext_if inet proto tcp from any to any port $web_ports -> $web_server
#-------------------nat setting --------------
#nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if from $int_server_A_ip to any -> $ext_if_A_ip
nat on $ext_if from $int_server_B_ip to any -> $ext_if_B_ip
nat on $ext_if from $int_server_C_ip to any -> $ext_if_C_ip
#nat on $ext_if inet proto {tcp, udp, icmp } from $local_int_net to any -> ($ext_if)
#nat on $ext_if inet proto {tcp, udp, icmp } from $int_server_A_ip to any -> $ext_if_A_ip
#nat on $int_if inet proto {tcp, udp, icmp } from $int_server_A_ip to any -> $ext_if_A_ip
#nat on $ext_if inet proto {tcp, udp, icmp } from $int_server_A_ip to any port $server_ports -> $ext_if_A_ip
nat-anchor "nat_anchor/*"
#nat-anchor mynat
#-------------------nat end--------------
#-------------------rdr setting --------------
#rdr-anchor myrdr
rdr-anchor "relayd/*"
#rdr on $ext_if inet proto tcp from any to any port $server_ports -> $int_server_A_ip
rdr on $ext_if inet proto tcp from any to $ext_if_A_ip port $server_ports -> $int_server_A_ip
rdr on $ext_if inet proto tcp from any to $ext_if_B_ip port $server_ports -> $int_server_B_ip
rdr on $ext_if inet proto tcp from any to $ext_if_C_ip port $server_ports -> $int_server_C_ip
#----------map port range---------
rdr on $ext_if inet proto tcp from any to any port $ext_server_A_ports_range -> $int_server_A_ip port $int_server_ports_range
#rdr on $ext_if inet proto tcp from any to any port $ext_server_A_ports_range -> $int_server_A_ip port 8881:* #auto extern to
#rdr on $ext_if inet proto tcp from any to any port $ext_server_A_ports_range -> $int_server_A_ip port 8881 #all map to one port
#----------map port range end---------
#rdr on $ext_if inet proto tcp from any to $ext_if_master_ip port $server_A_rdr_ports -> $int_server_A_ip port $server_int_ports
#------------------------------------one ip to mulport ---------------
# rdr on $ext_if inet proto tcp from any to $ext_if_master_ip port 10001 -> $int_server_A_ip port 8001
# rdr on $ext_if inet proto tcp from any to $ext_if_master_ip port 10002 -> $int_server_A_ip port 8002
#
# rdr on $ext_if inet proto tcp from any to $ext_if_master_ip port 20001 -> $int_server_B_ip port 8001
# rdr on $ext_if inet proto tcp from any to $ext_if_master_ip port 20002 -> $int_server_B_ip port 8002
#------------------------------------one ip to mulport end ---------------
#rdr on $ext_if inet proto tcp from $ext_if_A_ip to any -> $int_server_A_ip
#rdr on $ext_if inet proto tcp from $ext_if_A_ip to any port $server_ports -> $int_server_A_ip
#rdr on $ext_if inet proto tcp from $ext_if_B_ip to any port $server_ports -> $int_server_B_ip
#rdr on $ext_if inet proto tcp from $ext_if_C_ip to any port $server_ports -> $int_server_C_ip
#-------------------rdr end--------------
#-------------------binat setting -----------
#binat-anchor "binat/*"
#binat on $ext_if inet proto tcp from $int_server_A_ip to any -> $ext_if_A_ip
#binat on $ext_if inet proto tcp from $int_server_A_ip to any -> $ext_if_A_ip
#binat on $ext_if inet proto tcp from $int_server_A_ip to any -> $ext_if_A_ip
#binat on $ext_if inet proto tcp from $int_server_A_ip to any port $server_ports -> $ext_if_A_ip
#binat on $ext_if inet proto tcp from $int_server_B_ip to any port $server_ports -> $ext_if_B_ip
#binat on $ext_if inet proto tcp from $int_server_C_ip to any port $server_ports -> $ext_if_C_ip
#-------------------binat end -----------
#-------------------filter setting ------------------
block in on $ext_if all
pass quick on lo0 all
pass out on $ext_if all keep state
pass out on $int_if all keep state
#---------ip spoof -----
antispoof quick for $ext_if inet
#pass in quick on $ext_if proto tcp from any to $ext_if_A_ip port $server_ports flags S/SA synproxy state
#pass in quick on $ext_if proto tcp from $ssh_ip to any port $ssh_port keep state
#pass in quick on $ext_if proto tcp from <ssh_ip_tbl> to any port $ssh_port keep state
#pass in quick on $ext_if proto tcp from { <ssh_ip_tbl>, <safe_ssh_ip> } to any port $ssh_port keep state
#
#-----------------------drop nmap -------------------
block log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block quick on $ext_if inet proto tcp from any to any flags /SFRA
# #block quick on $ext_if on "NMAP"
#-----------------------drop nmap end-------------------
#--------------drop ping ext_if =====================
# ²»Ôл¥jÍ»úng·þÎÆͲ¿Í¿¨
block in on $ext_if inet proto icmp all icmp-type 8 code 0
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in quick on $ext_if inet proto icmp all icmp-type 8 code 0
#--------------drop ping ext_if =====================
#----------------------------------------------------------
#拒絕內部私有 IP 對 $ext_if 網路卡連線
#block drop in quick on $ext_if from $priv_nets to any
#block drop out quick on $ext_if from any to $priv_nets
#----------------------------------------------------------
#pass in on $inf_if proto rcp from any to any queue std_in
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
#---set anchor ---
anchor goodguys
#anchor myanchor
#load anchor goodguys:ssh from "/etc/anchor-goodguys-ssh
#echo "pass in proto tcp from 192.168.1.88 to any port 22" \
# | pfctl -a goodguys:ssh -f -
#---set test point ---
#block in log quick on $ext_if inet proto { tcp, udp } from any to any port $test_ports
#lable "just test"
#just test
#-----------------------------------------
# pass in quick on $ext_if proto tcp from any to any port $ssh_port keep state queue ssh_in
# pass in quick on $ext_if proto tcp from any to any port $http_port keep state queue http_in
# pass in quick on $ext_if proto tcp from any to any port $ftp_port keep state queue ftp_in
# pass in quick on $ext_if proto { tcp, udp } from any to any port $base_port keep state queue base_in
# #pass in quick on $ext_if proto tcp from any to any keep state queue base_in #配合pf使用预先定义的altq规则
#-----------------------------------------
pass in quick on $int_if inet proto {tcp, udp, icmp } from $int_if:network to ($ext_if) keep state
#pass in quick on $int_if inet proto {tcp, udp, icmp } from $local_int_net to $ext_if:network keep state #lable "int to ext"
#--------------icmp set ----------
#---enable icmp ping
pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types keep state
pass out quick on $ext_if inet proto icmp all icmp-type $icmp_types keep state
#pass in inet proto icmp all icmp-type $icmp_types
#---disable icmp ping
#block in inet proto icmp all icmp-type echoreq keep state
#block drop on $ext_if inet proto icmp all icmp-type echoreq from any to $ext_if keep state
#--------------icmp end ----------
#pass in on $ext_if inet proto tcp from any to $ext_if:0 port $web_ports flags S/SA synproxy state
#------------just for relayd relay to int network --------
pass in on $ext_if inet proto tcp from any to $int_if:network port $web_ports flags S/SA synproxy state
#pass in on $ext_if inet proto tcp from any to $int_if:network port $remote_monitor_port flags S/SA synproxy state
#------------just for relayd relay to int network end --------
#--------------------------ssh set =========================
#block quick on $int_if inet proto tcp from $int_if:network to $ext_if port $ssh_port
table <SSHbruteforce> persist
#table <FTPbruteforce> persist
pass in quick on $ext_if inet proto tcp from <safe_ssh_ip> to <firewall> port $ssh_port synproxy state
block quick from <SSHbruteforce>
pass in log quick on $ext_if inet proto tcp from any to any port $ssh_port keep state (max-src-conn 5, max-src-conn-rate 5/10,overload <SSHbruteforce> flush global)
#pass in log quick on $ext_if inet proto tcp from <safe_ssh_ip> to any port $ssh_port keep state (max-src-conn 5, max-src-conn-rate 3/10,overload <SSHbruteforce> flush global)
#pass quick on $ext_if inet proto tcp from $ssh_ip to any port $ssh_port keep state (max-src-conn 5, max-src-conn-rate 3/10,overload <SSHbruteforce> flush global)
#pass in log quick on $ext_if inet proto tcp from { <safe_ssh_ip> , <int_safe_ssh_ip> } to any port $ssh_port keep state (max-src-conn 5, max-src-conn-rate 3/10,overload <SSHbruteforce> flush global)
#--------------ssh-bruteforce table -----------
# table <ssh-bruteforce> persist
# block quick from <ssh-bruteforce>
# pass in log quick on $ext_if inet proto tcp from any to any port $ssh_port \
# flags S/SA synproxy state ( source-track rule, max-src-states 200, \
# max-src-conn-rate 5/3, max-src-nodes 1025, overload <bruteforce> flush global )
# #max-src-conn-rate 5/1, max-src-nodes 1024, overload <bruteforce> flush global, tcp.established 10, \
# #src.track 3 )
#--------------------------ssh set =========================
#--------------bruteforce table -----------
table <bruteforce> persist
#--- # block for test bruteforce
#block quick from <bruteforce>
#port $server_ports
#pass in log quick on $ext_if inet proto tcp from any to any port $server_ports
pass in log quick on $ext_if inet proto tcp from any to $int_if:network port $server_ports \
flags S/SA synproxy state (max 4000, source-track rule, max-src-states 20, \
max-src-conn 200 max-src-conn-rate 15/3, max-src-nodes 100, overload <bruteforce> flush global )
#queue base_in
#max-src-conn-rate 5/1, max-src-nodes 1024, overload <bruteforce> flush global, tcp.established 10, \
#src.track 3 )
#max-src-conn 10 max-src-conn-rate 25/3
#pass in on $ext_if inet proto tcp from any to any flags S/SA keep state
#pfctl -t bruteforce -Tadd 204.110.22.111
#pfctl -t bruteforce -T show
#pfctl -t bruteforce -T del 204.110.22.111
#pfctl -t bruteforce -T flush
#--------------bruteforce table end-----------
#-------------------filter end ------------------
#-----tcpdump ----------------
#DEV="rl0"
#V="-vvv"
#LOG="-w /tmp/tcpdump.log"
#LOG=""
#TCP_FLAG="tcp[8:4]&0xFFFFFFFF=1 and tcp[13] & 0xff = 16"
#TCP_FLAG="tcp[13] & 0xFF = 16"
#TCP_FLAG="tcp[13] & 0x03 != 0"
#TCP_FLAG="tcp[13] & 0x08 != 0"
#TCP_FLAG="tcp[13] & 0x08 != 0 and tcp[32:2] = 0x4040" #@@
#TCP_FLAG="tcp[13] & 0x08 != 0 and tcp[32:2] != 0x4040" #Not @@ start
#TCP_FLAG="tcp[13] & 0x08 != 0 and tcp[20:2] != 0x4040" #Not @@ start
#tcpdump $LOG -i $DEV -nn -X $TCP_FLAG
#-----tcpdump end----------------
#============================
# /etc/ssh/sshd_config
#LoginGraceTime 120
#如果用户在规定的时间之内没有正确的登录,则断开。如果为0,则不限制;默认120秒
#MaxStartups 10
#设置同时发生的未验证的并发量,即同时可以有几个登录连接,默认为10
#==============================
# /etc/syslog.conf
# auth.* /var/log/auth.log
#-----------------------------
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
# Change to yes to enable built-in password authentication.
#PasswordAuthentication no
#PermitEmptyPasswords no
#=================================
# * Protocol 2 # 表示使用SSH-2,增加安全
# * ServerKeyBits 1024 # 默认的密钥长度是768,改成我们的密钥长度1024
# * PermitRootLogin no # 表示不允许以root的身份登录,root的工作应该由sudo来完成
# * PermitEmptyPasswords no # 禁止空密码的登录
# * PasswordAuthentication no # 关闭密码认证方式,使得我们从远程只能使用密钥认证
# * UseLogin no # 同上,关闭其他认证方式
# * UsePAM no # 同上,关闭其他认证方式
# * PubkeyAuthentication yes # 允许使用秘钥认证
#=================================
# /usr/ports/security/denyhosts
# 使用 pftop 来查看 anchor
#--------------------------------
# -------------------------------------------------------------------------------
# To run denyhosts from startup, add denyhosts_enable="YES"
# in your /etc/rc.conf.
# Configiration options can be found in /usr/local/etc/denyhosts.conf
# -------------------------------------------------------------------------------
# In order to proper working of denyhosts
# 1. edit your /etc/hosts.allow file and add:
# sshd : /etc/hosts.deniedssh : deny
# sshd : ALL : allow
# 2. issue the following command if /etc/hosts.deniedssh does not exist yet
# touch /etc/hosts.deniedssh
# -------------------------------------------------------------------------------
#sudo cat /var/log/auth.log |grep ssh|grep Failed|grep root|cut -d ":" -f 4|cut -d " " -f 7|uniq|sort
#-------------------------------------
# altq on $ext_if cbq bandwidth 100% queue { http_in, ftp_in, base_in , ssh_in} #定义总带宽
# queue base_in bandwidth 40% cbq(default) #base占用总带宽的40%,以下依次类推
# queue http_in bandwidth 30%
# queue ftp_in bandwidth 25%
# queue ssh_in bandwidth 5% priority 1 cbq(borrow)
#
#
# nat on $ext_if from <safe_nat_ip_tbl> to any -> ($ext_if)
# #rdr on $ext_if inet proto tcp from any to any port $web_ports -> $web_server
#
# pass in quick on $ext_if proto tcp from any to any port $ssh_port keep state queue ssh_in
# pass in quick on $ext_if proto tcp from any to any port $http_port keep state queue http_in
# pass in quick on $ext_if proto tcp from any to any port $ftp_port keep state queue ftp_in
# pass in quick on $ext_if proto { tcp, udp } from any to any port $base_port keep state queue base_in
# pass in quick on $ext_if proto tcp from any to any keep state queue base_in #配合pf使用预先定义的altq规则
# #-------------------------------------
#=====================anchor ==================
#http://bbs3.chinaunix.net/thread-1522657-1-1.html
#1. set nat-anchor nat_anchor/*
#2. sudo sh -c 'echo "nat on xl0 from 192.168.0.23 to any -> xl0 "|pfctl -a nat_anchor:tt -f -'
#3. sudo pfctl -sA
#4. sudo pfctl -a "nat_anchor:tt" -sn #(-s n -->show nat tables)
#5. set anchor myanchor
#6. sh -c 'echo "pass in quick on xl0 from any to any "|pfctl -a myanchor:tt -f -'
#7. sudo pfctl -a "myanchor:tt" -sr
#8. set rdr-anchor relayd/*
#9. sudo sh -c 'echo "rdr on xl0 inet proto tcp from any to any port 80 -> 192.168.0.115 port 8080"|pfctl -a relayd:web -f -'
#10. sudo pfctl -a "relayd:web" -sn
#=====================anchor end==================
#netstat -an | awk '/^tcp/{ A[$NF]++} END{ for (a in A) print a, A[a]}'
#netstat -an |awk '/LISTEN/{next};/^tcp/{s=split($5, N,":"); \
#A[N[s-1]]++} END{ for (a in A) print a, A[a]}'
#sockstat -4c |awk '/:2222/{split($6,ip,":");++A[ip[1]]}END{for(i in A) print A[i],i}' |sort -rn
#sockstat | grep :666 | awk '{ print $1 | "sort -n" }' | uniq -d
#------------------------------------------------------------
